Inspection Limitations

•State
information for multimedia sessions that require inspection are not
passed over the state link for stateful failover. The exception is GTP,
which is replicated over the state link.

•Some inspection engines do not support PAT, NAT, outside NAT, or NAT between same security interfaces. See "Default Inspection Policy" for more information about NAT support.

•For
all the application inspections, the adaptive security appliance limits
the number of simultaneous, active data connections to 200 connections.
For example, if an FTP client opens multiple secondary connections, the
FTP inspection engine allows only 200 active connections and the 201
connection is dropped and the adaptive security appliance generates a
system error message.

•Inspected
protocols are subject to advanced TCP-state tracking, and the TCP state
of these connections is not automatically replicated. While these
connections are replicated to the standby unit, there is a best-effort
attempt to re-establish a TCP state.